@fedify/fedify 2.2.3-dev.1098 → 2.2.3

package/dist/federation/handler.test.mjs

@@ -4,13 +4,15 @@ globalThis.addEventListener = () => {};
 import { n as createOutboxContext, r as createRequestContext, t as createInboxContext } from "../context-Dk_tacqz.mjs";
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
 import "../std__assert-CRDpx_HF.mjs";
+import { t as assertRejects } from "../assert_rejects-B-qJtC9Z.mjs";
 import { t as assertInstanceOf } from "../assert_instance_of-C4Ri6VuN.mjs";
 import { t as assert } from "../assert-DikXweDx.mjs";
 import { r as parseAcceptSignature } from "../accept-CPkZzmGN.mjs";
-import { s as signRequest } from "../http-BDCGf4Ac.mjs";
+import { s as signRequest } from "../http-C_edJspG.mjs";
 import { a as rsaPrivateKey3, c as rsaPublicKey3, s as rsaPublicKey2 } from "../keys-DGu1NFwu.mjs";
+import { a as compactJsonLd, p as signJsonLd } from "../ld-tusP_XxG.mjs";
 import { t as MemoryKvStore } from "../kv-rV3vodCc.mjs";
-import { c as handleActor, d as handleInbox, f as handleObject, h as respondWithObjectIfAcceptable, l as handleCollection, m as respondWithObject, o as createFederation, p as handleOutbox, u as handleCustomCollection } from "../middleware-2gmMVy8b.mjs";
+import { c as handleActor, d as handleInbox, f as handleObject, h as respondWithObjectIfAcceptable, l as handleCollection, m as respondWithObject, o as createFederation, p as handleOutbox, u as handleCustomCollection } from "../middleware-D9k0Knum.mjs";
 import { t as ActivityListenerSet } from "../activity-listener-ell7W1s9.mjs";
 import { createTestTracerProvider, mockDocumentLoader, test } from "@fedify/fixture";
 import { Activity, Create, Note, Person, Tombstone } from "@fedify/vocab";
@@ -956,6 +958,11 @@ test("handleInbox()", async () => {
 		if (identifier !== "someone") return null;
 		return new Person({ name: "Someone" });
 	};
+	const restrictiveContextLoader = async (resource) => {
+		const url = new URL(resource).href;
+		if (url === "https://www.w3.org/ns/activitystreams" || url === "https://w3id.org/identity/v1") return await mockDocumentLoader(url);
+		throw new Error(`Unexpected context: ${url}`);
+	};
 	const inboxOptions = {
 		kv: new MemoryKvStore(),
 		kvPrefixes: {
@@ -970,83 +977,1081 @@ test("handleInbox()", async () => {
 	};
 	let response = await handleInbox(unsignedRequest, {
 		recipient: null,
-		context: unsignedContext,
+		context: unsignedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...unsignedContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions,
+		actorDispatcher: void 0
+	});
+	assertEquals(onNotFoundCalled, unsignedRequest);
+	assertEquals(response.status, 404);
+	onNotFoundCalled = null;
+	response = await handleInbox(unsignedRequest, {
+		recipient: "nobody",
+		context: unsignedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...unsignedContext,
+				clone: void 0,
+				recipient: "nobody"
+			});
+		},
+		...inboxOptions
+	});
+	assertEquals(onNotFoundCalled, unsignedRequest);
+	assertEquals(response.status, 404);
+	onNotFoundCalled = null;
+	response = await handleInbox(unsignedRequest, {
+		recipient: null,
+		context: unsignedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...unsignedContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	});
+	assertEquals(onNotFoundCalled, null);
+	assertEquals(response.status, 401);
+	response = await handleInbox(unsignedRequest, {
+		recipient: "someone",
+		context: unsignedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...unsignedContext,
+				clone: void 0,
+				recipient: "someone"
+			});
+		},
+		...inboxOptions
+	});
+	assertEquals(onNotFoundCalled, null);
+	assertEquals(response.status, 401);
+	const malformedProofCreatedRequest = new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify({
+			"@context": ["https://www.w3.org/ns/activitystreams", "https://w3id.org/security/data-integrity/v1"],
+			id: "https://example.com/activities/invalid-proof-created",
+			type: "Create",
+			actor: "https://example.com/person2",
+			object: {
+				id: "https://example.com/notes/invalid-proof-created",
+				type: "Note",
+				attributedTo: "https://example.com/person2",
+				content: "Hello, world!"
+			},
+			proof: {
+				type: "DataIntegrityProof",
+				cryptosuite: "eddsa-jcs-2022",
+				verificationMethod: "https://example.com/person2#main-key",
+				proofPurpose: "assertionMethod",
+				created: { "@value": "not-a-date" },
+				proofValue: "zLaewdp4H9kqtwyrLatK4cjY5oRHwVcw4gibPSUDYDMhi4M49v8pcYk3ZB6D69dNpAPbUmY8ocuJ3m9KhKJEEg7z"
+			}
+		})
+	});
+	const malformedProofCreatedContext = createRequestContext({
+		federation,
+		request: malformedProofCreatedRequest,
+		url: new URL(malformedProofCreatedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: mockDocumentLoader
+	});
+	response = await handleInbox(malformedProofCreatedRequest, {
+		recipient: null,
+		context: malformedProofCreatedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...malformedProofCreatedContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	});
+	assertEquals([response.status, await response.text()], [400, "Invalid activity."]);
+	onNotFoundCalled = null;
+	const signedRequest = await signRequest(unsignedRequest.clone(), rsaPrivateKey3, rsaPublicKey3.id);
+	const signedContext = createRequestContext({
+		federation,
+		request: signedRequest,
+		url: new URL(signedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader
+	});
+	response = await handleInbox(signedRequest, {
+		recipient: null,
+		context: signedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...unsignedContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	});
+	assertEquals(onNotFoundCalled, null);
+	assertEquals([response.status, await response.text()], [202, ""]);
+	const ldSignedRequest = new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(await signJsonLd({
+			"@context": [
+				"https://www.w3.org/ns/activitystreams",
+				"https://w3id.org/identity/v1",
+				"https://w3id.org/security/v1",
+				"https://w3id.org/security/data-integrity/v1"
+			],
+			id: "https://example.com/activities/ld-signed",
+			type: "Create",
+			actor: "https://example.com/person2",
+			object: {
+				id: "https://example.com/notes/ld-signed",
+				type: "Note",
+				attributedTo: "https://example.com/person2",
+				content: "Hello, world!"
+			}
+		}, rsaPrivateKey3, rsaPublicKey3.id, { contextLoader: mockDocumentLoader }))
+	});
+	const ldSignedContext = createRequestContext({
+		federation,
+		request: ldSignedRequest,
+		url: new URL(ldSignedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: restrictiveContextLoader
+	});
+	response = await handleInbox(ldSignedRequest, {
+		recipient: null,
+		context: ldSignedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...ldSignedContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	});
+	assertEquals(onNotFoundCalled, null);
+	assertEquals([response.status, await response.text()], [202, ""]);
+	const remoteContextUrl = "https://remote.example/contexts/ext";
+	let failRemoteContextOnce = true;
+	const flakyContextLoader = async (resource) => {
+		const url = new URL(resource).href;
+		if (url === remoteContextUrl) {
+			if (failRemoteContextOnce) {
+				failRemoteContextOnce = false;
+				throw new Error(`Unexpected context: ${url}`);
+			}
+			return {
+				contextUrl: null,
+				documentUrl: url,
+				document: { "@context": { ext: "https://example.com/ext" } }
+			};
+		}
+		return await mockDocumentLoader(url);
+	};
+	const httpSignedLdBody = {
+		"@context": [remoteContextUrl, "https://www.w3.org/ns/activitystreams"],
+		id: "https://example.com/activities/http-signed-ld",
+		type: "Create",
+		actor: "https://example.com/person2",
+		ext: "preserve-me",
+		object: {
+			id: "https://example.com/notes/http-signed-ld",
+			type: "Note",
+			attributedTo: "https://example.com/person2",
+			content: "Hello, world!"
+		},
+		signature: {
+			type: "RsaSignature2017",
+			creator: rsaPublicKey3.id.href,
+			created: "2024-01-01T00:00:00Z",
+			signatureValue: "bogus"
+		}
+	};
+	const httpSignedLdRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(httpSignedLdBody)
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const httpSignedLdContext = createRequestContext({
+		federation,
+		request: httpSignedLdRequest,
+		url: new URL(httpSignedLdRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: flakyContextLoader
+	});
+	response = await handleInbox(httpSignedLdRequest, {
+		recipient: null,
+		context: httpSignedLdContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...httpSignedLdContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	});
+	assertEquals(onNotFoundCalled, null);
+	assertEquals([response.status, await response.text()], [202, ""]);
+	const ldSignedOnlyBody = await signJsonLd({
+		"@context": [remoteContextUrl, "https://www.w3.org/ns/activitystreams"],
+		id: "https://example.com/activities/ld-only-transient",
+		type: "Create",
+		actor: "https://example.com/person2",
+		ext: "preserve-me",
+		object: {
+			id: "https://example.com/notes/ld-only-transient",
+			type: "Note",
+			attributedTo: "https://example.com/person2",
+			content: "Hello, world!"
+		}
+	}, rsaPrivateKey3, rsaPublicKey3.id, { contextLoader: async (resource) => {
+		const url = new URL(resource).href;
+		if (url === remoteContextUrl) return {
+			contextUrl: null,
+			documentUrl: url,
+			document: { "@context": { ext: "https://example.com/ext" } }
+		};
+		return await mockDocumentLoader(url);
+	} });
+	const malformedTemporalLdSignedBody = await signJsonLd({
+		"@context": "https://www.w3.org/ns/activitystreams",
+		id: "https://example.com/activities/ld-only-invalid-published",
+		type: "Create",
+		actor: "https://example.com/person2",
+		published: { "@value": "not-a-date" },
+		object: {
+			id: "https://example.com/notes/ld-only-invalid-published",
+			type: "Note",
+			attributedTo: "https://example.com/person2",
+			content: "Hello, world!"
+		}
+	}, rsaPrivateKey3, rsaPublicKey3.id, { contextLoader: mockDocumentLoader });
+	const malformedTemporalLdSignedRequest = new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(malformedTemporalLdSignedBody)
+	});
+	const malformedTemporalLdSignedContext = createRequestContext({
+		federation,
+		request: malformedTemporalLdSignedRequest,
+		url: new URL(malformedTemporalLdSignedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: mockDocumentLoader
+	});
+	response = await handleInbox(malformedTemporalLdSignedRequest, {
+		recipient: null,
+		context: malformedTemporalLdSignedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...malformedTemporalLdSignedContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	});
+	assertEquals([response.status, await response.text()], [400, "Invalid activity."]);
+	const malformedClosedLdSignedBody = await signJsonLd({
+		"@context": "https://www.w3.org/ns/activitystreams",
+		id: "https://example.com/questions/ld-only-invalid-closed",
+		type: "Question",
+		closed: "2024-02-31T00:00:00Z"
+	}, rsaPrivateKey3, rsaPublicKey3.id, { contextLoader: mockDocumentLoader });
+	const malformedClosedLdSignedRequest = new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(malformedClosedLdSignedBody)
+	});
+	const malformedClosedLdSignedContext = createRequestContext({
+		federation,
+		request: malformedClosedLdSignedRequest,
+		url: new URL(malformedClosedLdSignedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: mockDocumentLoader
+	});
+	response = await handleInbox(malformedClosedLdSignedRequest, {
+		recipient: null,
+		context: malformedClosedLdSignedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...malformedClosedLdSignedContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	});
+	assertEquals([response.status, await response.text()], [400, "Invalid activity."]);
+	const malformedIriHttpSignedRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify({
+			"@context": "https://www.w3.org/ns/activitystreams",
+			id: "http://[",
+			type: "Create",
+			actor: "https://example.com/person2",
+			object: {
+				id: "https://example.com/notes/http-signed-invalid-iri",
+				type: "Note",
+				attributedTo: "https://example.com/person2",
+				content: "Hello, world!"
+			}
+		})
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const malformedIriHttpSignedContext = createRequestContext({
+		federation,
+		request: malformedIriHttpSignedRequest,
+		url: new URL(malformedIriHttpSignedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: mockDocumentLoader
+	});
+	response = await handleInbox(malformedIriHttpSignedRequest, {
+		recipient: null,
+		context: malformedIriHttpSignedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...malformedIriHttpSignedContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	});
+	assertEquals([response.status, await response.text()], [400, "Invalid activity."]);
+	const ldSignedOnlyRequest = new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(ldSignedOnlyBody)
+	});
+	const ldSignedOnlyContext = createRequestContext({
+		federation,
+		request: ldSignedOnlyRequest,
+		url: new URL(ldSignedOnlyRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: async (resource) => {
+			const url = new URL(resource).href;
+			if (url === remoteContextUrl) throw new Error(`Unexpected context: ${url}`);
+			return await mockDocumentLoader(url);
+		}
+	});
+	await assertRejects(() => handleInbox(ldSignedOnlyRequest, {
+		recipient: null,
+		context: ldSignedOnlyContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...ldSignedOnlyContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	}), Error);
+	failRemoteContextOnce = true;
+	const invalidHttpFallbackRequest = new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(ldSignedOnlyBody),
+		headers: { Signature: "bogus" }
+	});
+	const invalidHttpFallbackContext = createRequestContext({
+		federation,
+		request: invalidHttpFallbackRequest,
+		url: new URL(invalidHttpFallbackRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: flakyContextLoader
+	});
+	await assertRejects(() => handleInbox(invalidHttpFallbackRequest, {
+		recipient: null,
+		context: invalidHttpFallbackContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...invalidHttpFallbackContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	}), Error);
+	const transientKeyContextUrl = "https://remote.example/contexts/key";
+	const transientCreatorUrl = "https://remote.example/keys/transient#main-key";
+	const verificationFailureLdSignedBody = await signJsonLd({
+		"@context": "https://www.w3.org/ns/activitystreams",
+		id: "https://example.com/activities/ld-key-fetch-transient",
+		type: "Create",
+		actor: "https://example.com/person2",
+		object: {
+			id: "https://example.com/notes/ld-key-fetch-transient",
+			type: "Note",
+			attributedTo: "https://example.com/person2",
+			content: "Hello, world!"
+		}
+	}, rsaPrivateKey3, new URL(transientCreatorUrl), { contextLoader: mockDocumentLoader });
+	const verificationFailureLdSignedRequest = new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(verificationFailureLdSignedBody),
+		headers: { Signature: "bogus" }
+	});
+	const verificationFailureLdSignedContext = createRequestContext({
+		federation,
+		request: verificationFailureLdSignedRequest,
+		url: new URL(verificationFailureLdSignedRequest.url),
+		data: void 0,
+		documentLoader: async (resource) => {
+			if (resource === transientCreatorUrl) return {
+				contextUrl: null,
+				documentUrl: resource,
+				document: {
+					"@context": [transientKeyContextUrl],
+					id: resource
+				}
+			};
+			return await mockDocumentLoader(new URL(resource).href);
+		},
+		contextLoader: async (resource) => {
+			if (resource === transientKeyContextUrl) throw new Error(`Transient key context failure: ${resource}`);
+			return await mockDocumentLoader(new URL(resource).href);
+		}
+	});
+	response = await handleInbox(verificationFailureLdSignedRequest, {
+		recipient: null,
+		context: verificationFailureLdSignedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...verificationFailureLdSignedContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	});
+	assertEquals([response.status, await response.text()], [401, "Failed to verify the request signature."]);
+	failRemoteContextOnce = true;
+	const deferredMalformedTemporalLdSignedBody = await signJsonLd({
+		"@context": [remoteContextUrl, "https://www.w3.org/ns/activitystreams"],
+		id: "https://example.com/activities/deferred-invalid-published",
+		type: "Create",
+		actor: "https://example.com/person2",
+		ext: "preserve-me",
+		published: { "@value": "not-a-date" },
+		object: {
+			id: "https://example.com/notes/deferred-invalid-published",
+			type: "Note",
+			attributedTo: "https://example.com/person2",
+			content: "Hello, world!"
+		}
+	}, rsaPrivateKey3, rsaPublicKey3.id, { contextLoader: async (resource) => {
+		const url = new URL(resource).href;
+		if (url === remoteContextUrl) return {
+			contextUrl: null,
+			documentUrl: url,
+			document: { "@context": { ext: "https://example.com/ext" } }
+		};
+		return await mockDocumentLoader(url);
+	} });
+	const deferredMalformedTemporalLdSignedRequest = new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(deferredMalformedTemporalLdSignedBody),
+		headers: { Signature: "bogus" }
+	});
+	const deferredMalformedTemporalLdSignedContext = createRequestContext({
+		federation,
+		request: deferredMalformedTemporalLdSignedRequest,
+		url: new URL(deferredMalformedTemporalLdSignedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: flakyContextLoader
+	});
+	response = await handleInbox(deferredMalformedTemporalLdSignedRequest, {
+		recipient: null,
+		context: deferredMalformedTemporalLdSignedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...deferredMalformedTemporalLdSignedContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	});
+	assertEquals([response.status, await response.text()], [400, "Invalid activity."]);
+	const malformedLdSignedRequest = new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify({
+			...ldSignedOnlyBody,
+			"@context": ["not a url", "https://www.w3.org/ns/activitystreams"]
+		})
+	});
+	const malformedLdSignedContext = createRequestContext({
+		federation,
+		request: malformedLdSignedRequest,
+		url: new URL(malformedLdSignedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: mockDocumentLoader
+	});
+	response = await handleInbox(malformedLdSignedRequest, {
+		recipient: null,
+		context: malformedLdSignedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...malformedLdSignedContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	});
+	assertEquals([response.status, await response.text()], [400, "Invalid JSON-LD."]);
+	const dualSignedInvalidCreatorRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify({
+			...httpSignedLdBody,
+			signature: {
+				...httpSignedLdBody.signature,
+				creator: "not a url"
+			}
+		})
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const dualSignedInvalidCreatorContext = createRequestContext({
+		federation,
+		request: dualSignedInvalidCreatorRequest,
+		url: new URL(dualSignedInvalidCreatorRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: flakyContextLoader
+	});
+	response = await handleInbox(dualSignedInvalidCreatorRequest, {
+		recipient: null,
+		context: dualSignedInvalidCreatorContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...dualSignedInvalidCreatorContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	});
+	assertEquals(onNotFoundCalled, null);
+	assertEquals([response.status, await response.text()], [202, ""]);
+	const invalidUrlHttpSignedRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify({
+			"@context": [remoteContextUrl, "https://www.w3.org/ns/activitystreams"],
+			id: "https://example.com/activities/http-signed-invalid-context",
+			type: "Create",
+			actor: "https://example.com/person2",
+			ext: "preserve-me",
+			object: {
+				id: "https://example.com/notes/http-signed-invalid-context",
+				type: "Note",
+				attributedTo: "https://example.com/person2",
+				content: "Hello, world!"
+			}
+		})
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const invalidUrlHttpSignedContext = createRequestContext({
+		federation,
+		request: invalidUrlHttpSignedRequest,
+		url: new URL(invalidUrlHttpSignedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: async (resource) => {
+			const url = new URL(resource).href;
+			if (url === remoteContextUrl) {
+				const error = /* @__PURE__ */ new Error(`Transient remote context failure: ${url}`);
+				error.name = "jsonld.InvalidUrl";
+				error.details = {
+					code: "loading remote context failed",
+					url
+				};
+				throw error;
+			}
+			return await mockDocumentLoader(url);
+		}
+	});
+	await assertRejects(() => handleInbox(invalidUrlHttpSignedRequest, {
+		recipient: null,
+		context: invalidUrlHttpSignedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...invalidUrlHttpSignedContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	}), Error);
+	const opaqueContextIdHttpSignedRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify({
+			"@context": ["app-context", "https://www.w3.org/ns/activitystreams"],
+			id: "https://example.com/activities/http-signed-opaque-context",
+			type: "Create",
+			actor: "https://example.com/person2",
+			object: {
+				id: "https://example.com/notes/http-signed-opaque-context",
+				type: "Note",
+				attributedTo: "https://example.com/person2",
+				content: "Hello, world!"
+			}
+		})
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const opaqueContextIdHttpSignedContext = createRequestContext({
+		federation,
+		request: opaqueContextIdHttpSignedRequest,
+		url: new URL(opaqueContextIdHttpSignedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: async (resource) => {
+			if (resource === "app-context") {
+				const error = /* @__PURE__ */ new Error(`Opaque context backend is unavailable: ${resource}`);
+				error.name = "jsonld.InvalidUrl";
+				error.details = {
+					code: "loading remote context failed",
+					url: resource
+				};
+				throw error;
+			}
+			return await mockDocumentLoader(new URL(resource).href);
+		}
+	});
+	await assertRejects(() => handleInbox(opaqueContextIdHttpSignedRequest, {
+		recipient: null,
+		context: opaqueContextIdHttpSignedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...opaqueContextIdHttpSignedContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	}), Error);
+	const opaqueContextTypeErrorHttpSignedRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify({
+			"@context": ["app:context", "https://www.w3.org/ns/activitystreams"],
+			id: "https://example.com/activities/http-signed-opaque-typeerror",
+			type: "Create",
+			actor: "https://example.com/person2",
+			object: {
+				id: "https://example.com/notes/http-signed-opaque-typeerror",
+				type: "Note",
+				attributedTo: "https://example.com/person2",
+				content: "Hello, world!"
+			}
+		})
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const opaqueContextTypeErrorHttpSignedContext = createRequestContext({
+		federation,
+		request: opaqueContextTypeErrorHttpSignedRequest,
+		url: new URL(opaqueContextTypeErrorHttpSignedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: async (resource) => {
+			if (resource === "app:context") throw new TypeError(`Invalid URL: ${resource}`);
+			return await mockDocumentLoader(new URL(resource).href);
+		}
+	});
+	await assertRejects(() => handleInbox(opaqueContextTypeErrorHttpSignedRequest, {
+		recipient: null,
+		context: opaqueContextTypeErrorHttpSignedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...opaqueContextTypeErrorHttpSignedContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	}), Error);
+	const networkPathContextHttpSignedRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify({
+			"@context": ["//cdn.example/ctx", "https://www.w3.org/ns/activitystreams"],
+			id: "https://example.com/activities/http-signed-network-path-context",
+			type: "Create",
+			actor: "https://example.com/person2",
+			object: {
+				id: "https://example.com/notes/http-signed-network-path-context",
+				type: "Note",
+				attributedTo: "https://example.com/person2",
+				content: "Hello, world!"
+			}
+		})
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const networkPathContextHttpSignedContext = createRequestContext({
+		federation,
+		request: networkPathContextHttpSignedRequest,
+		url: new URL(networkPathContextHttpSignedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: async (resource) => {
+			if (resource === "//cdn.example/ctx") {
+				const error = /* @__PURE__ */ new Error(`Network-path context backend is unavailable: ${resource}`);
+				error.name = "jsonld.InvalidUrl";
+				error.details = {
+					code: "loading remote context failed",
+					url: resource
+				};
+				throw error;
+			}
+			return await mockDocumentLoader(new URL(resource).href);
+		}
+	});
+	await assertRejects(() => handleInbox(networkPathContextHttpSignedRequest, {
+		recipient: null,
+		context: networkPathContextHttpSignedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...networkPathContextHttpSignedContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	}), Error);
+	const malformedNetworkPathContextHttpSignedRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify({
+			"@context": ["//[", "https://www.w3.org/ns/activitystreams"],
+			id: "https://example.com/activities/http-signed-malformed-network-path-context",
+			type: "Create",
+			actor: "https://example.com/person2",
+			object: {
+				id: "https://example.com/notes/http-signed-malformed-network-path-context",
+				type: "Note",
+				attributedTo: "https://example.com/person2",
+				content: "Hello, world!"
+			}
+		})
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const malformedNetworkPathContextHttpSignedContext = createRequestContext({
+		federation,
+		request: malformedNetworkPathContextHttpSignedRequest,
+		url: new URL(malformedNetworkPathContextHttpSignedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: async (resource) => {
+			if (resource === "//[") {
+				const error = /* @__PURE__ */ new Error(`Malformed network-path context: ${resource}`);
+				error.name = "jsonld.InvalidUrl";
+				error.details = {
+					code: "loading remote context failed",
+					url: resource
+				};
+				throw error;
+			}
+			return await mockDocumentLoader(new URL(resource).href);
+		}
+	});
+	response = await handleInbox(malformedNetworkPathContextHttpSignedRequest, {
+		recipient: null,
+		context: malformedNetworkPathContextHttpSignedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...malformedNetworkPathContextHttpSignedContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	});
+	assertEquals(response.status, 400);
+	const malformedUrlLikeContextHttpSignedRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify({
+			"@context": ["http://[", "https://www.w3.org/ns/activitystreams"],
+			id: "https://example.com/activities/http-signed-malformed-url-like-context",
+			type: "Create",
+			actor: "https://example.com/person2",
+			object: {
+				id: "https://example.com/notes/http-signed-malformed-url-like-context",
+				type: "Note",
+				attributedTo: "https://example.com/person2",
+				content: "Hello, world!"
+			}
+		})
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const malformedUrlLikeContextHttpSignedContext = createRequestContext({
+		federation,
+		request: malformedUrlLikeContextHttpSignedRequest,
+		url: new URL(malformedUrlLikeContextHttpSignedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: async (resource) => {
+			if (resource === "http://[") {
+				const error = /* @__PURE__ */ new Error(`Invalid remote context URL: ${resource}`);
+				error.name = "jsonld.InvalidUrl";
+				error.details = {
+					code: "loading remote context failed",
+					url: resource
+				};
+				throw error;
+			}
+			return await mockDocumentLoader(new URL(resource).href);
+		}
+	});
+	response = await handleInbox(malformedUrlLikeContextHttpSignedRequest, {
+		recipient: null,
+		context: malformedUrlLikeContextHttpSignedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...malformedUrlLikeContextHttpSignedContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	});
+	assertEquals(response.status, 400);
+	const malformedContextUrlHttpSignedRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify({
+			"@context": ["not a url", "https://www.w3.org/ns/activitystreams"],
+			id: "https://example.com/activities/http-signed-malformed-context",
+			type: "Create",
+			actor: "https://example.com/person2",
+			object: {
+				id: "https://example.com/notes/http-signed-malformed-context",
+				type: "Note",
+				attributedTo: "https://example.com/person2",
+				content: "Hello, world!"
+			}
+		})
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const malformedContextUrlHttpSignedContext = createRequestContext({
+		federation,
+		request: malformedContextUrlHttpSignedRequest,
+		url: new URL(malformedContextUrlHttpSignedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: async (resource) => {
+			if (resource === "not a url") {
+				const error = /* @__PURE__ */ new Error(`Invalid remote context URL: ${resource}`);
+				error.name = "jsonld.InvalidUrl";
+				error.details = {
+					code: "loading remote context failed",
+					url: resource
+				};
+				throw error;
+			}
+			return await mockDocumentLoader(new URL(resource).href);
+		}
+	});
+	response = await handleInbox(malformedContextUrlHttpSignedRequest, {
+		recipient: null,
+		context: malformedContextUrlHttpSignedContext,
 		inboxContextFactory(_activity) {
 			return createInboxContext({
-				...unsignedContext,
+				...malformedContextUrlHttpSignedContext,
 				clone: void 0
 			});
 		},
-		...inboxOptions,
-		actorDispatcher: void 0
+		...inboxOptions
 	});
-	assertEquals(onNotFoundCalled, unsignedRequest);
-	assertEquals(response.status, 404);
-	onNotFoundCalled = null;
-	response = await handleInbox(unsignedRequest, {
-		recipient: "nobody",
-		context: unsignedContext,
+	assertEquals(response.status, 400);
+	const invalidRemoteContextHttpSignedRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify({
+			"@context": [remoteContextUrl, "https://www.w3.org/ns/activitystreams"],
+			id: "https://example.com/activities/http-signed-invalid-remote-context",
+			type: "Create",
+			actor: "https://example.com/person2",
+			object: {
+				id: "https://example.com/notes/http-signed-invalid-remote-context",
+				type: "Note",
+				attributedTo: "https://example.com/person2",
+				content: "Hello, world!"
+			}
+		})
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const invalidRemoteContextHttpSignedContext = createRequestContext({
+		federation,
+		request: invalidRemoteContextHttpSignedRequest,
+		url: new URL(invalidRemoteContextHttpSignedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: async (resource) => {
+			const url = new URL(resource).href;
+			if (url === remoteContextUrl) return {
+				contextUrl: null,
+				documentUrl: url,
+				document: [
+					"not",
+					"an",
+					"object"
+				]
+			};
+			return await mockDocumentLoader(url);
+		}
+	});
+	response = await handleInbox(invalidRemoteContextHttpSignedRequest, {
+		recipient: null,
+		context: invalidRemoteContextHttpSignedContext,
 		inboxContextFactory(_activity) {
 			return createInboxContext({
-				...unsignedContext,
-				clone: void 0,
-				recipient: "nobody"
+				...invalidRemoteContextHttpSignedContext,
+				clone: void 0
 			});
 		},
 		...inboxOptions
 	});
-	assertEquals(onNotFoundCalled, unsignedRequest);
-	assertEquals(response.status, 404);
-	onNotFoundCalled = null;
-	response = await handleInbox(unsignedRequest, {
+	assertEquals(response.status, 400);
+	const invalidUrlAbsoluteContextHttpSignedRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify({
+			"@context": [remoteContextUrl, "https://www.w3.org/ns/activitystreams"],
+			id: "https://example.com/activities/http-signed-invalid-url-context",
+			type: "Create",
+			actor: "https://example.com/person2",
+			ext: "preserve-me",
+			object: {
+				id: "https://example.com/notes/http-signed-invalid-url-context",
+				type: "Note",
+				attributedTo: "https://example.com/person2",
+				content: "Hello, world!"
+			}
+		})
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const invalidUrlAbsoluteContextHttpSignedContext = createRequestContext({
+		federation,
+		request: invalidUrlAbsoluteContextHttpSignedRequest,
+		url: new URL(invalidUrlAbsoluteContextHttpSignedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: async (resource) => {
+			const url = new URL(resource).href;
+			if (url === remoteContextUrl) throw new TypeError(`Invalid URL: ${url}`);
+			return await mockDocumentLoader(url);
+		}
+	});
+	await assertRejects(() => handleInbox(invalidUrlAbsoluteContextHttpSignedRequest, {
 		recipient: null,
-		context: unsignedContext,
+		context: invalidUrlAbsoluteContextHttpSignedContext,
 		inboxContextFactory(_activity) {
 			return createInboxContext({
-				...unsignedContext,
+				...invalidUrlAbsoluteContextHttpSignedContext,
 				clone: void 0
 			});
 		},
 		...inboxOptions
+	}), Error);
+	const typeErrorHttpSignedRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify({
+			"@context": [remoteContextUrl, "https://www.w3.org/ns/activitystreams"],
+			id: "https://example.com/activities/http-signed-typeerror-context",
+			type: "Create",
+			actor: "https://example.com/person2",
+			ext: "preserve-me",
+			object: {
+				id: "https://example.com/notes/http-signed-typeerror-context",
+				type: "Note",
+				attributedTo: "https://example.com/person2",
+				content: "Hello, world!"
+			}
+		})
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const typeErrorHttpSignedContext = createRequestContext({
+		federation,
+		request: typeErrorHttpSignedRequest,
+		url: new URL(typeErrorHttpSignedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: async (resource) => {
+			const url = new URL(resource).href;
+			if (url === remoteContextUrl) throw new TypeError(`The remote context host timed out: ${url}`);
+			return await mockDocumentLoader(url);
+		}
 	});
-	assertEquals(onNotFoundCalled, null);
-	assertEquals(response.status, 401);
-	response = await handleInbox(unsignedRequest, {
-		recipient: "someone",
-		context: unsignedContext,
+	await assertRejects(() => handleInbox(typeErrorHttpSignedRequest, {
+		recipient: null,
+		context: typeErrorHttpSignedContext,
 		inboxContextFactory(_activity) {
 			return createInboxContext({
-				...unsignedContext,
-				clone: void 0,
-				recipient: "someone"
+				...typeErrorHttpSignedContext,
+				clone: void 0
 			});
 		},
 		...inboxOptions
-	});
-	assertEquals(onNotFoundCalled, null);
-	assertEquals(response.status, 401);
-	onNotFoundCalled = null;
-	const signedRequest = await signRequest(unsignedRequest.clone(), rsaPrivateKey3, rsaPublicKey3.id);
-	const signedContext = createRequestContext({
+	}), Error);
+	const rangeErrorHttpSignedRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify({
+			"@context": [remoteContextUrl, "https://www.w3.org/ns/activitystreams"],
+			id: "https://example.com/activities/http-signed-rangeerror-context",
+			type: "Create",
+			actor: "https://example.com/person2",
+			ext: "preserve-me",
+			object: {
+				id: "https://example.com/notes/http-signed-rangeerror-context",
+				type: "Note",
+				attributedTo: "https://example.com/person2",
+				content: "Hello, world!"
+			}
+		})
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const rangeErrorHttpSignedContext = createRequestContext({
 		federation,
-		request: signedRequest,
-		url: new URL(signedRequest.url),
+		request: rangeErrorHttpSignedRequest,
+		url: new URL(rangeErrorHttpSignedRequest.url),
 		data: void 0,
-		documentLoader: mockDocumentLoader
+		documentLoader: mockDocumentLoader,
+		contextLoader: async (resource) => {
+			const url = new URL(resource).href;
+			if (url === remoteContextUrl) throw new RangeError(`Temporary remote context cache window exceeded: ${url}`);
+			return await mockDocumentLoader(url);
+		}
 	});
-	response = await handleInbox(signedRequest, {
+	await assertRejects(() => handleInbox(rangeErrorHttpSignedRequest, {
 		recipient: null,
-		context: signedContext,
+		context: rangeErrorHttpSignedContext,
 		inboxContextFactory(_activity) {
 			return createInboxContext({
-				...unsignedContext,
+				...rangeErrorHttpSignedContext,
 				clone: void 0
 			});
 		},
 		...inboxOptions
+	}), Error);
+	const syntaxErrorHttpSignedRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify({
+			"@context": [remoteContextUrl, "https://www.w3.org/ns/activitystreams"],
+			id: "https://example.com/activities/http-signed-syntax-context",
+			type: "Create",
+			actor: "https://example.com/person2",
+			ext: "preserve-me",
+			object: {
+				id: "https://example.com/notes/http-signed-syntax-context",
+				type: "Note",
+				attributedTo: "https://example.com/person2",
+				content: "Hello, world!"
+			}
+		})
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const syntaxErrorHttpSignedContext = createRequestContext({
+		federation,
+		request: syntaxErrorHttpSignedRequest,
+		url: new URL(syntaxErrorHttpSignedRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: async (resource) => {
+			const url = new URL(resource).href;
+			if (url === remoteContextUrl) {
+				const error = /* @__PURE__ */ new Error(`Transient syntax failure: ${url}`);
+				error.name = "jsonld.SyntaxError";
+				error.details = { code: "loading remote context failed" };
+				throw error;
+			}
+			return await mockDocumentLoader(url);
+		}
 	});
-	assertEquals(onNotFoundCalled, null);
-	assertEquals([response.status, await response.text()], [202, ""]);
+	await assertRejects(() => handleInbox(syntaxErrorHttpSignedRequest, {
+		recipient: null,
+		context: syntaxErrorHttpSignedContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...syntaxErrorHttpSignedContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	}), Error);
 	response = await handleInbox(signedRequest, {
 		recipient: "someone",
 		context: signedContext,
@@ -1090,6 +2095,64 @@ test("handleInbox()", async () => {
 	});
 	assertEquals(onNotFoundCalled, null);
 	assertEquals(response.status, 202);
+	const unsafeJson = {
+		"@context": ["https://www.w3.org/ns/activitystreams", { rev: "@reverse" }],
+		id: "https://example.com/activities/unsafe",
+		type: "Announce",
+		actor: "https://example.com/person2",
+		object: "https://example.com/notes/1",
+		rev: { object: {
+			id: "https://example.com/activities/undo",
+			type: "Undo",
+			actor: "https://example.com/person2"
+		} }
+	};
+	const unsafeRequest = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(unsafeJson)
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const unsafeContext = createRequestContext({
+		federation,
+		request: unsafeRequest,
+		url: new URL(unsafeRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader
+	});
+	response = await handleInbox(unsafeRequest, {
+		recipient: null,
+		context: unsafeContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...unsafeContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	});
+	assertEquals(response.status, 202);
+	const unsafeLdRequest = new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(await signJsonLd(unsafeJson, rsaPrivateKey3, rsaPublicKey3.id, { contextLoader: mockDocumentLoader }))
+	});
+	const unsafeLdContext = createRequestContext({
+		federation,
+		request: unsafeLdRequest,
+		url: new URL(unsafeLdRequest.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader
+	});
+	response = await handleInbox(unsafeLdRequest, {
+		recipient: null,
+		context: unsafeLdContext,
+		inboxContextFactory(_activity) {
+			return createInboxContext({
+				...unsafeLdContext,
+				clone: void 0
+			});
+		},
+		...inboxOptions
+	});
+	assertEquals(response.status, 400);
 	const signedInvalidRequest = await signRequest(new Request("https://example.com/", {
 		method: "POST",
 		body: JSON.stringify({
@@ -1487,6 +2550,263 @@ test("handleOutbox()", async () => {
 	assertEquals(response.status, 500);
 	assertEquals(onErrorCalled, true);
 });
+test("handleInbox() preserves the raw signed payload for inboxContextFactory", async () => {
+	const federation = createFederation({ kv: new MemoryKvStore() });
+	const remoteContextUrl = "https://remote.example/contexts/ext";
+	const sourceContextLoader = async (resource) => {
+		const url = new URL(resource).href;
+		if (url === remoteContextUrl) return {
+			contextUrl: null,
+			documentUrl: url,
+			document: { "@context": { ext: "https://example.com/ext" } }
+		};
+		return await mockDocumentLoader(url);
+	};
+	const signed = await signJsonLd({
+		"@context": [remoteContextUrl, "https://www.w3.org/ns/activitystreams"],
+		id: "https://example.com/activities/preserve-raw",
+		type: "Create",
+		actor: "https://example.com/person2",
+		ext: "preserve-me",
+		object: {
+			id: "https://example.com/notes/preserve-raw",
+			type: "Note",
+			attributedTo: "https://example.com/person2",
+			content: "Hello, world!"
+		}
+	}, rsaPrivateKey3, rsaPublicKey3.id, { contextLoader: sourceContextLoader });
+	const request = new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(signed)
+	});
+	const context = createRequestContext({
+		federation,
+		request,
+		url: new URL(request.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: sourceContextLoader
+	});
+	let receivedRaw = null;
+	let receivedTyped = null;
+	const inboxListeners = new ActivityListenerSet();
+	inboxListeners.add(Create, (ctx, activity) => {
+		receivedRaw = ctx.activity;
+		receivedTyped = activity;
+	});
+	const response = await handleInbox(request, {
+		recipient: "someone",
+		context,
+		inboxContextFactory(recipient, activity, activityId, activityType) {
+			return {
+				...createInboxContext({
+					...context,
+					clone: void 0,
+					recipient
+				}),
+				activity,
+				activityId,
+				activityType
+			};
+		},
+		kv: new MemoryKvStore(),
+		kvPrefixes: {
+			activityIdempotence: ["_fedify", "activityIdempotence"],
+			publicKey: ["_fedify", "publicKey"],
+			acceptSignatureNonce: ["_fedify", "acceptSignatureNonce"]
+		},
+		actorDispatcher: (_ctx, identifier) => identifier === "someone" ? new Person({ name: "Someone" }) : null,
+		inboxListeners,
+		onNotFound: () => new Response("Not found", { status: 404 }),
+		signatureTimeWindow: { minutes: 5 },
+		skipSignatureVerification: false
+	});
+	assertEquals([response.status, await response.text()], [202, ""]);
+	assertEquals(receivedRaw, signed);
+	const delivered = receivedTyped;
+	assert(delivered != null);
+	assertEquals(delivered.id?.href, "https://example.com/activities/preserve-raw");
+});
+test("handleInbox() enqueues normalizedActivity for LD-signed inbox work", async () => {
+	const remoteContextUrl = "https://remote.example/contexts/ext";
+	const sourceContextLoader = async (resource) => {
+		const url = new URL(resource).href;
+		if (url === remoteContextUrl) return {
+			contextUrl: null,
+			documentUrl: url,
+			document: { "@context": { ext: "https://example.com/ext" } }
+		};
+		return await mockDocumentLoader(url);
+	};
+	let queuedMessage = null;
+	const queue = {
+		enqueue(message) {
+			queuedMessage = message;
+			return Promise.resolve();
+		},
+		async listen() {}
+	};
+	const federation = createFederation({
+		kv: new MemoryKvStore(),
+		queue
+	});
+	const signed = await signJsonLd({
+		"@context": [remoteContextUrl, "https://www.w3.org/ns/activitystreams"],
+		id: "https://example.com/activities/enqueued-normalized",
+		type: "Create",
+		actor: "https://example.com/person2",
+		ext: "preserve-me",
+		object: {
+			id: "https://example.com/notes/enqueued-normalized",
+			type: "Note",
+			attributedTo: "https://example.com/person2",
+			content: "Hello, world!"
+		}
+	}, rsaPrivateKey3, rsaPublicKey3.id, { contextLoader: sourceContextLoader });
+	const request = new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(signed)
+	});
+	const context = createRequestContext({
+		federation,
+		request,
+		url: new URL(request.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: sourceContextLoader
+	});
+	const response = await handleInbox(request, {
+		recipient: "someone",
+		context,
+		inboxContextFactory(recipient, activity, activityId, activityType) {
+			return {
+				...createInboxContext({
+					...context,
+					clone: void 0,
+					recipient
+				}),
+				activity,
+				activityId,
+				activityType
+			};
+		},
+		kv: new MemoryKvStore(),
+		kvPrefixes: {
+			activityIdempotence: ["_fedify", "activityIdempotence"],
+			publicKey: ["_fedify", "publicKey"],
+			acceptSignatureNonce: ["_fedify", "acceptSignatureNonce"]
+		},
+		queue,
+		actorDispatcher: (_ctx, identifier) => identifier === "someone" ? new Person({ name: "Someone" }) : null,
+		onNotFound: () => new Response("Not found", { status: 404 }),
+		signatureTimeWindow: { minutes: 5 },
+		skipSignatureVerification: false
+	});
+	assertEquals([response.status, await response.text()], [202, "Activity is enqueued."]);
+	const enqueued = queuedMessage;
+	assert(enqueued != null);
+	const inboxMessage = enqueued;
+	assertEquals(inboxMessage.activity, signed);
+	assertEquals(inboxMessage.normalizedActivity, await compactJsonLd(signed, sourceContextLoader));
+	assertEquals(inboxMessage.ldSignatureVerified, true);
+});
+test("handleInbox() caches normalizedActivity for queued signature-bearing fallback traffic", async () => {
+	const remoteContextUrl = "https://remote.example/contexts/ext";
+	let queuedMessage = null;
+	const queue = {
+		enqueue(message) {
+			queuedMessage = message;
+			return Promise.resolve();
+		},
+		async listen() {}
+	};
+	const federation = createFederation({
+		kv: new MemoryKvStore(),
+		queue
+	});
+	const sourceContextLoader = async (resource) => {
+		const url = new URL(resource).href;
+		if (url === remoteContextUrl) return {
+			contextUrl: null,
+			documentUrl: url,
+			document: { "@context": { ext: "https://example.com/ext" } }
+		};
+		return await mockDocumentLoader(url);
+	};
+	const unsignedBody = {
+		"@context": [remoteContextUrl, "https://www.w3.org/ns/activitystreams"],
+		id: "https://example.com/activities/non-lds-queued-signature",
+		type: "Create",
+		actor: "https://example.com/person2",
+		ext: "preserve-me",
+		object: {
+			id: "https://example.com/notes/non-lds-queued-signature",
+			type: "Note",
+			attributedTo: "https://example.com/person2",
+			content: "Hello, world!"
+		},
+		signature: {
+			type: "RsaSignature2017",
+			creator: "not a url",
+			created: "2024-09-12T16:50:46Z",
+			signatureValue: "Zm9v"
+		}
+	};
+	const request = await signRequest(new Request("https://example.com/", {
+		method: "POST",
+		body: JSON.stringify(unsignedBody)
+	}), rsaPrivateKey3, rsaPublicKey3.id);
+	const context = createRequestContext({
+		federation,
+		request,
+		url: new URL(request.url),
+		data: void 0,
+		documentLoader: mockDocumentLoader,
+		contextLoader: sourceContextLoader
+	});
+	const response = await handleInbox(request, {
+		recipient: "someone",
+		context,
+		inboxContextFactory(recipient, activity, activityId, activityType) {
+			return {
+				...createInboxContext({
+					...context,
+					clone: void 0,
+					recipient
+				}),
+				activity,
+				activityId,
+				activityType
+			};
+		},
+		kv: new MemoryKvStore(),
+		kvPrefixes: {
+			activityIdempotence: ["_fedify", "activityIdempotence"],
+			publicKey: ["_fedify", "publicKey"],
+			acceptSignatureNonce: ["_fedify", "acceptSignatureNonce"]
+		},
+		queue,
+		actorDispatcher: (_ctx, identifier) => identifier === "someone" ? new Person({ name: "Someone" }) : null,
+		onNotFound: () => new Response("Not found", { status: 404 }),
+		signatureTimeWindow: { minutes: 5 },
+		skipSignatureVerification: false
+	});
+	assertEquals([response.status, await response.text()], [202, "Activity is enqueued."]);
+	if (queuedMessage == null) throw new Error("Inbox message not queued.");
+	const inboxMessage = queuedMessage;
+	assertEquals(inboxMessage, {
+		type: "inbox",
+		id: inboxMessage.id,
+		baseUrl: "https://example.com",
+		activity: unsignedBody,
+		normalizedActivity: await compactJsonLd(unsignedBody, sourceContextLoader),
+		ldSignatureVerified: false,
+		started: inboxMessage.started,
+		attempt: 0,
+		identifier: "someone",
+		traceContext: inboxMessage.traceContext
+	});
+});
 test("respondWithObject()", async () => {
 	const response = await respondWithObject(new Note({
 		id: new URL("https://example.com/notes/1"),